Michael Tremer [Sun, 13 Jan 2019 11:50:26 +0000 (12:50 +0100)]
keepalived: Move change of conntrack sysctl option into package
The setting cannot be set on the default system because the ip_vs
module is not loaded by default and there is no reason to load it
just because we would be able to set the setting.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 11 Jan 2019 09:05:24 +0000 (10:05 +0100)]
Revert "geoip-functions.pl: Re-write code to lookup the iso country code of a given IP-address."
Enhanching the code to fix the lookup will rapidely slow down the lookup speed. Because using
the GeoIP2 module is no option ( the reasons have been described in the commit message which will
now reverted), we have decided to temporary switch back to the old module until a nice solution has
been found.
"- Fix heap-buffer-overrun with --one-top-level.
- Support for zstd compression.
- The -K option interacts properly with member names given in the command line.
- Fix CVE-2018-20482"
This patch was reverted because 'tar 1.31' crashed when installing PakFire packages
with the option '--no-overwrite-dir'.
See: https://bugzilla.ipfire.org/show_bug.cgi?id=11958
Included is now a patch from https://savannah.gnu.org/bugs/?55413, which seems to fix this issue.
The test cases given in https://savannah.gnu.org/bugs/?55413#comment1 ran without problems.
As always, please check and confirm.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 10 Jan 2019 12:00:17 +0000 (13:00 +0100)]
geoip-functions.pl: Re-write code to lookup the iso country code of a given IP-address.
Drop the usage of the old legacy GeoIP perl module which was not able to handle the
new GeoLite2 databases.
Write some code to directly access the databases and extract the required data.
Usage of the GeoIP2 perl module would provide a lot of more functionality which is not
used/needed. Unfortunately ir requires at lot of additional perl modules which are
not available on IPFire and would only be build and shipped for this module. Buildig all
of them will slow down the entire build process, mess up the system and requires a lot
more space on disk.
Fixes #11962.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
BUG 11786 - squid: Remove setting for filter processes the number of Squid processes
I added a function to determine the number of cores.
Now the number of squid processes will be equal to the number of logical cores.
Further I removed the possibility of changing the number
of squid processes in the proxy.cgi
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: root <root@ipfire.test>
For details see:
http://savannah.gnu.org/forum/forum.php?forum_id=9344
"- Fix heap-buffer-overrun with --one-top-level.
- Support for zstd compression.
- The -K option interacts properly with member names given in the command line.
- Fix CVE-2018-20482"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 26 Dec 2018 13:37:25 +0000 (14:37 +0100)]
dnsforward.cgi: fix for language string
Hi,
In https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=1a26564e95b5694337e51860544e7775d35055f3
the language string 'dnsforward forward_server' => 'DNS-Server', was deleted and replaced
by 'dnsforward forward_servers' => 'DNS-Server',
IMHO this leads to an empty string in 'dnsforward.cgi', line 223:
Erik Kapfer [Thu, 3 Jan 2019 02:57:16 +0000 (03:57 +0100)]
database_attribute: Deliver/create index.txt.attr
Fixes #11904
Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.
index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 27 Dec 2018 17:16:35 +0000 (18:16 +0100)]
wget: Update to 1.20.1
This is a bugfix release:
"due to some privacy issues in default settings of Wget, we introduce
this bugfix release.
The --xattr option (saving original URL and Referer into extended file
attributes) was introduced and enabled by default since Wget 1.19.
It possibly saved - possibly unrecognized by the user - credentials,
access tokes etc that were included in the requested URL.
We changed three details as a countermeasure, see below in the NEWS section.
With Best Regards, Tim
...
NEWS
* Changes in Wget 1.20.1
** --xattr is no longer default since it introduces privacy issues.
** --xattr saves the Referer as scheme/host/port,
user/pw/path/query/fragment
are no longer saved to prevent privacy issues.
** --xattr saves the Original URL without user/password to prevent
privacy issues."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 15:42:23 +0000 (15:42 +0000)]
pcre: Enable JIT
This is now possible because we no longer run grsecurity-enabled
kernels. The performance of PCRE increases dramatically and applications
like the IDS benefit hugely:
Matthias Fischer [Thu, 13 Dec 2018 17:40:24 +0000 (18:40 +0100)]
squid: Update to 4.4 (stable)
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 16 Dec 2018 16:50:13 +0000 (16:50 +0000)]
make.sh: Build in ramdisk
This is an experimental change that I want to trial to speed up
the nightly builds. The build environment will be mounted in a
ramdisk and the build will be performed in there.
This will hopefully reduce IO on the (slow) replicated disks.
If there is no significant performance gain from this, this
commit will be reverted.
To enable this, USE_RAMDISK must be set to 1 in .config.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 13 Dec 2018 11:52:50 +0000 (12:52 +0100)]
grub: xfs: Accept filesystem with sparse inodes
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Dec 2018 11:34:12 +0000 (11:34 +0000)]
AWS: Prefer red* or eth* when importing configuration
This change is necessary to make sure that the script prefers
are link with internet access. That would usually be red (after
the second boot) or eth* (on the first boot).
That allows (and ensures) that we can install packages in
the user-data script.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Dec 2018 20:43:24 +0000 (20:43 +0000)]
installer: Intialize part_boot_efi_idx
This variable was not initialized on systems where EFI was not
in use. Therefore the generated parted command line was not
valid and caused the installation to abort.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>